X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=ffc4bf17058bffa9d8752a4cd14204971356ee9a;hb=8a6b446c7e336596af614c853e1c6177e55a7983;hp=fdb4c219d4eb2b9154c500c93fe6d751fe962113;hpb=f7a2fe0e56e14b55818245a2e3a2eb68f1cd23de;p=distro-setup

diff --git a/mail-setup b/mail-setup
index fdb4c21..ffc4bf1 100755
--- a/mail-setup
+++ b/mail-setup
@@ -15,28 +15,38 @@ set -x
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# todo: make quick backups of maildir, or deliver to multiple hosts.
+
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+if [[ ! $SUDO_USER ]]; then
+  echo "$0: error: requires running as nonroot or sudo"
+  exit 1
+fi
+u=$SUDO_USER
+
 
 usage() {
-    cat <<EOF
+  cat <<EOF
 Usage: ${0##*/} exim4|postfix
 Setup exim4 / postfix / dovecot
 
 The minimal assumption we have is that /etc/mailpass exists
 
 
-I\'ve had problems with postfix on debian:
+I've had problems with postfix on debian:
 on stretch, a startup ordering issue caused all mail to fail.
 postfix changed defaults to only use ipv6 dns, causing all my mail to fail.
-I haven\'t gotten around to getting a non-debian exim
+I haven't gotten around to getting a non-debian exim
 setup.
 
+
+
 -h|--help  Print help and exit.
 EOF
-    exit $1
+  exit $1
 }
 
 type=$1
@@ -44,13 +54,9 @@ postfix() { [[ $type == postfix ]]; }
 exim() { [[ $type == exim4 ]]; }
 
 if ! exim && ! postfix; then
-    usage 1
+  usage 1
 fi
 
-if [[ ! $SUDO_USER ]]; then
-    echo "$0: error: requires running as nonroot or sudo"
-fi
-u=$SUDO_USER
 
 
 ####### begin perstent password instructions ######
@@ -178,16 +184,28 @@ u=$SUDO_USER
 
 
 postconfin() {
-    local MAPFILE
-    mapfile -t
-    local s
-    postconf -ev "${MAPFILE[@]}"
+  local MAPFILE
+  mapfile -t
+  local s
+  postconf -ev "${MAPFILE[@]}"
 }
 e() { printf "%s\n" "$*"; }
+pi() { # package install
+  local s f
+  if dpkg -s -- "$@" &> /dev/null; then
+    return 0;
+  fi;
+  while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
+  f=/var/cache/apt/pkgcache.bin;
+  if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then
+    apt-get update
+  fi
+  apt-get -y install --purge --auto-remove "$@"
+}
 
 postmaster=$u
 mxhost=mail.iankelling.org
-mxport=25
+mxport=587
 forward=$u@$mxhost
 
 # old setup. left as comment for example
@@ -201,59 +219,60 @@ smarthost="$mxhost::$mxport" # exim
 # trisquel 8 = openvpn, debian stretch = openvpn-client
 vpn_ser=openvpn-client
 if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
-    vpn_ser=openvpn
+  vpn_ser=openvpn
 fi
 
 if [[ $HOSTNAME == $MAIL_HOST ]]; then
-    # afaik, these will get ignored because they are routing to my own
-    # machine, but rm them is safer
-    rm -f $(eval echo ~$postmaster)/.forward /root/.forward
+  # afaik, these will get ignored because they are routing to my own
+  # machine, but rm them is safer
+  rm -f $(eval echo ~$postmaster)/.forward /root/.forward
 else
-    # this can\'t be a symlink and has permission restrictions
-    # it might work in /etc/aliases, but this seems more proper.
-    install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward
+  # this can\'t be a symlink and has permission restrictions
+  # it might work in /etc/aliases, but this seems more proper.
+  install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward
 fi
 
 # offlineimap uses this too, it is much easier to use one location than to
 # condition it\'s config and postfix\'s config
 if [[ -f /etc/fedora-release ]]; then
-    /a/exe/lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt
+  /a/exe/lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt
 fi
 
 if postfix; then
-    # dunno why, but debian installed postfix with builddep emacs
-    # but I will just explicitly install it here since
-    # I use it for sending mail in emacs.
-    if command -v apt-get &> /dev/null; then
-        debconf-set-selections <<EOF
+  # dunno why, but debian installed postfix with builddep emacs
+  # but I will just explicitly install it here since
+  # I use it for sending mail in emacs.
+  if command -v apt-get &> /dev/null; then
+    debconf-set-selections <<EOF
 postfix postfix/main_mailer_type select Satellite system
-postfix postfix/mailname string $HOSTNAME
+postfix postfix/mailname string $(hostname -f)
 postfix postfix/relayhost string $relayhost
 postfix postfix/root_address string $postmaster
 EOF
-        if dpkg -s postfix &>/dev/null; then
-            dpkg-reconfigure -u -fnoninteractive postfix
-        else
-            apt-get -y install --purge --auto-remove postfix
-        fi
+    if dpkg -s postfix &>/dev/null; then
+      while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
+      dpkg-reconfigure -u -fnoninteractive postfix
     else
-        source /a/bin/distro-functions/src/package-manager-abstractions
-        pi postfix
-        # Settings from reading the output when installing on debian,
-        # then seeing which were different in a default install on arch.
-        # I assume the same works for fedora.
-        postconfin <<EOF
+      pi postfix
+    fi
+  else
+    source /a/bin/distro-functions/src/package-manager-abstractions
+    pi postfix
+    # Settings from reading the output when installing on debian,
+    # then seeing which were different in a default install on arch.
+    # I assume the same works for fedora.
+    postconfin <<EOF
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 relayhost = $relayhost
 inet_interfaces = loopback-only
 EOF
 
-        systemctl enable postfix
-        systemctl start postfix
-    fi
-    # i\'m assuming mail just won\'t work on systems without the sasl_passwd.
-    postconfin <<'EOF'
+    systemctl enable postfix
+    systemctl start postfix
+  fi
+  # i\'m assuming mail just won\'t work on systems without the sasl_passwd.
+  postconfin <<'EOF'
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous
@@ -262,68 +281,58 @@ message_size_limit =  20480000
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 inet_protocols = ipv4
 EOF
-    # msg_size_limit: I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
-    # inet_protocols: without this, I\'ve had postfix try an ipv6 lookup then gives
-    # up and fail forever. snippet from syslog: type=AAAA: Host not found, try again
-
-
-    f=/etc/postfix/sasl_passwd
-    install -m 600 /dev/null $f
-    cat /etc/mailpass| while read -r domain port pass; do
-        # format: domain port user:pass
-        # mailpass is just a name i made up, since postfix and
-        # exim both use a slightly crazy format to translate to
-        # each other, it\'s easier to use my own format.
-        printf "[%s]:%s %s" "$domain" "$port" "${pass/@/#}" >>$f
-    done
-    postmap hash:/etc/postfix/sasl_passwd
-    # need restart instead of reload when changing
-    # inet_protocols
-    service postfix restart
+  # msg_size_limit: I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
+  # inet_protocols: without this, I\'ve had postfix try an ipv6 lookup then gives
+  # up and fail forever. snippet from syslog: type=AAAA: Host not found, try again
+
+
+  f=/etc/postfix/sasl_passwd
+  install -m 600 /dev/null $f
+  cat /etc/mailpass| while read -r domain port pass; do
+    # format: domain port user:pass
+    # mailpass is just a name i made up, since postfix and
+    # exim both use a slightly crazy format to translate to
+    # each other, it\'s easier to use my own format.
+    printf "[%s]:%s %s" "$domain" "$port" "${pass/@/#}" >>$f
+  done
+  postmap hash:/etc/postfix/sasl_passwd
+  # need restart instead of reload when changing
+  # inet_protocols
+  service postfix restart
 
 else # begin exim. has debian specific stuff for now
 
-    if ! dpkg -s openvpn &>/dev/null; then
-        apt-get -y install --purge --auto-remove openvpn
-    fi
+  pi openvpn
 
-    if [[ -e /p/c/filesystem ]]; then
-        # to put the hostname in the known hosts
-        ssh -o StrictHostKeyChecking=no root@li.iankelling.org :
-        /a/exe/vpn-mk-client-cert -b mail -n mail li.iankelling.org
+  if [[ -e /p/c/filesystem ]]; then
+    # allow failure of these commands when our internet is down, they are likely not needed,
+    # we check that a valid cert is there already.
+    # to put the hostname in the known hosts
+    if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then
+      # This just causes failure if our cert is going to expire in the next 30 days.
+      # Certs I generate last 10 years.
+      openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in /etc/openvpn/mail.crt
+    else
+      # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
+      # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
+      # after my internet was down for a bit:
+      # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
+      /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org
     fi
+  fi
 
-    cat >/etc/systemd/system/mailroute.service <<EOF
+  cat >/etc/systemd/system/offlineimapsync.timer <<'EOF'
 [Unit]
-# this unit is configured to start and stop whenever $vpn_ser@mail.service
-# does
-Description=Routing for email vpn
-After=network.target
-BindsTo=$vpn_ser@mail.service
-After=$vpn_ser@mail.service
-
-[Service]
-Type=oneshot
-ExecStart=/a/bin/distro-setup/mail-route start
-ExecStop=/a/bin/distro-setup/mail-route stop
-RemainAfterExit=yes
-
-[Install]
-RequiredBy=$vpn_ser@mail.service
-EOF
-
-    cat >/etc/systemd/system/offlineimapsync.timer <<'EOF'
-[Unit]
-Description=Run offlineimap-sync once every 5 mins
+Description=Run offlineimap-sync once every min
 
 [Timer]
-OnCalendar=*:0/5
+OnCalendar=*:0/1
 
 [Install]
 WantedBy=timers.target
 EOF
 
-    cat >/etc/systemd/system/offlineimapsync.service <<EOF
+  cat >/etc/systemd/system/offlineimapsync.service <<EOF
 [Unit]
 Description=Offlineimap sync
 After=multi-user.target
@@ -333,47 +342,129 @@ User=$u
 Type=oneshot
 ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
 EOF
-    systemctl daemon-reload
-    systemctl enable mailroute
-
-    # wording of question from dpkg-reconfigure exim4-config
-    # 1. internet site; mail is sent and received directly using SMTP
-    # 2. mail sent by smarthost; received via SMTP or fetchmail
-    # 3. mail sent by smarthost; no local mail
-    # 4. local delivery only; not on a network
-    # 5. no configuration at this time
-    #
-    # Note, I have used option 2 in the past for receiving mail
-    # from lan hosts, sending external mail via another smtp server.
-    #
-    # Note, other than configtype, we could set all the options in
-    # both types of configs without harm, they would either be
-    # ignored or be disabled by other settings, but the default
-    # local_interfaces definitely makes things more secure.
-
-    # most of these settings get translated into settings
-    # in /etc/exim4/update-exim4.conf.conf
-    # how /etc/exim4/update-exim4.conf.conf translates into actual exim settings is
-    # documented in man update-exim4.conf, which outputs to the config that
-    # exim actually reads. except the man page is not perfect, for example,
-    # it doesn't document that it sets
-    # DCconfig_${dc_eximconfig_configtype}" "1"
-    # which is a line from update-exim4.conf, which is a relatively short bash script.
-    # mailname setting sets /etc/mailname
-
-    debconf-set-selections <<EOF
+  systemctl daemon-reload
+
+  # wording of question from dpkg-reconfigure exim4-config
+  # 1. internet site; mail is sent and received directly using SMTP
+  # 2. mail sent by smarthost; received via SMTP or fetchmail
+  # 3. mail sent by smarthost; no local mail
+  # 4. local delivery only; not on a network
+  # 5. no configuration at this time
+  #
+  # Note, I have used option 2 in the past for receiving mail
+  # from lan hosts, sending external mail via another smtp server.
+  #
+  # Note, other than configtype, we could set all the options in
+  # both types of configs without harm, they would either be
+  # ignored or be disabled by other settings, but the default
+  # local_interfaces definitely makes things more secure.
+
+  # most of these settings get translated into settings
+  # in /etc/exim4/update-exim4.conf.conf
+  # how /etc/exim4/update-exim4.conf.conf translates into actual exim settings is
+  # documented in man update-exim4.conf, which outputs to the config that
+  # exim actually reads. except the man page is not perfect, for example,
+  # it doesn't document that it sets
+  # DCconfig_${dc_eximconfig_configtype}" "1"
+  # which is a line from update-exim4.conf, which is a relatively short bash script.
+  # mailname setting sets /etc/mailname
+
+  debconf-set-selections <<EOF
 exim4-config exim4/use_split_config boolean true
 EOF
 
-    source /a/bin/bash_unpublished/source-semi-priv
-    exim_main_dir=/etc/exim4/conf.d/main
-    mkdir -p $exim_main_dir
+  source /a/bin/bash_unpublished/source-semi-priv
+  mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
 
+  cat >/etc/exim4/rcpt_local_acl <<'EOF'
+# Only hosts we control send to mail.iankelling.org, so make sure
+# they are all authed.
+# Note, if we wanted authed senders for all domains,
+# we could make this condition in acl_check_mail
+deny
+  message = ian trusted domain recepient but no auth
+  !authenticated = *
+  domains = mail.iankelling.org
+EOF
+  cat >/etc/exim4/data_local_acl <<'EOF'
+# Except for the "condition =", this was
+# a comment in the check_data acl. The comment about this not
+# being suitable is mostly bs. The only thing related I found was to
+# add the condition =, cuz spamassassin has problems with big
+# messages and spammers don't bother with big messages,
+# but I've increased the size from 10k
+# suggested in official docs, and 100k in the wiki example because
+# those docs are rather old and I see a 110k spam message
+# pretty quickly looking through my spam folder.
+  warn
+    condition = ${if < {$message_size}{2000K}}
+    spam = Debian-exim:true
+    add_header = X-Spam_score: $spam_score\n\
+              X-Spam_score_int: $spam_score_int\n\
+              X-Spam_bar: $spam_bar\n\
+              X-Spam_report: $spam_report
 
+EOF
+  cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+# from 30_exim4-config_examples
+
+plain_server:
+driver = plaintext
+public_name = PLAIN
+server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+server_set_id = $auth2
+server_prompts = :
+.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+.endif
+EOF
 
-    #### begin mail cert setup ###
-    f=/usr/local/bin/mail-cert-cron
-    cat >$f <<'EOF'
+  cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+### router/900_exim4-config_local_user
+#################################
+
+# This router matches local user mailboxes. If the router fails, the error
+# message is "Unknown user".
+
+local_user:
+  debug_print = "R: local_user for $local_part@$domain"
+  driver = accept
+  domains = +local_domains
+# ian: commented this, in conjunction with a dovecot lmtp
+# change so I get mail for all users.
+#  check_local_user
+  local_parts = ! root
+  transport = LOCAL_DELIVERY
+  cannot_route_message = Unknown user
+EOF
+  cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
+dovecot_lmtp:
+        driver = lmtp
+        socket = /var/run/dovecot/lmtp
+        #maximum number of deliveries per batch, default 1
+        batch_max = 200
+EOF
+
+  cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+# smarthost for fsf mail
+# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
+# replaced DCsmarthost with mail.fsf.org
+fsfsmarthost:
+  debug_print = "R: smarthost for $local_part@$domain"
+  driver = manualroute
+  domains = ! +local_domains
+  senders = *@fsf.org
+  transport = remote_smtp_smarthost
+  route_list = * mail.fsf.org byname
+  host_find_failed = ignore
+  same_domain_copy_routing = yes
+  no_more
+EOF
+
+
+  #### begin mail cert setup ###
+  f=/usr/local/bin/mail-cert-cron
+  cat >$f <<'EOF'
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
@@ -385,14 +476,27 @@ if [[ -e $f ]]; then
 fi
 if [[ $HOSTNAME == $MAIL_HOST ]]; then
     local_mx=mail.iankelling.org
-    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
+    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
     ${rsync_common}fullchain.pem /etc/exim4/exim.crt
+    ret=$?
     ${rsync_common}privkey.pem /etc/exim4/exim.key
+    new_ret=$?
+    if [[ $ret != $new_ret ]]; then
+       echo "$0: error: differing rsync returns, $ret, $new_ret"
+       exit 1
+    fi
 fi
+if [[ $new_ret != 0 ]]; then
+    if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
+        echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
+        exit 1
+    fi
+fi
+exit 0
 EOF
-    chmod 755 $f
+  chmod 755 $f
 
-    cat >/etc/systemd/system/mailcert.service <<'EOF'
+  cat >/etc/systemd/system/mailcert.service <<'EOF'
 [Unit]
 Description=Mail cert rsync
 After=multi-user.target
@@ -402,7 +506,7 @@ Type=oneshot
 ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
 EOF
 
-    cat >/etc/systemd/system/mailcert.timer <<'EOF'
+  cat >/etc/systemd/system/mailcert.timer <<'EOF'
 [Unit]
 Description=Run mail-cert once a day
 
@@ -412,18 +516,18 @@ OnCalendar=daily
 [Install]
 WantedBy=timers.target
 EOF
-    systemctl daemon-reload
-    systemctl start mailcert
-    systemctl restart mailcert.timer
-    systemctl enable mailcert.timer
+  systemctl daemon-reload
+  systemctl start mailcert
+  systemctl restart mailcert.timer
+  systemctl enable mailcert.timer
 
-    ##### end mailcert setup #####
+  ##### end mailcert setup #####
 
 
 
-    if [[ $HOSTNAME == $MAIL_HOST ]]; then
+  if [[ $HOSTNAME == $MAIL_HOST ]]; then
 
-        debconf-set-selections <<EOF
+    debconf-set-selections <<EOF
 # Mail Server configuration
 # -------------------------
 
@@ -460,6 +564,7 @@ exim4-config exim4/dc_eximconfig_configtype select internet site; mail is sent a
 # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
 
 # System mail name:
+# iank: see comment elsewhere on mailname
 exim4-config exim4/mailname string mail.iankelling.org
 
 
@@ -467,7 +572,7 @@ exim4-config exim4/mailname string mail.iankelling.org
 
 # Please enter a semicolon-separated list of recipient domains for which this machine
 # should consider itself the final destination. These domains are commonly called
-# 'local domains'. The local hostname (treetowl.lan) and 'localhost' are always added
+# 'local domains'. The local hostname (kd.lan) and 'localhost' are always added
 # to the list given here.
 
 # By default all local domains will be treated identically. If both a.example and
@@ -532,11 +637,17 @@ exim4-config exim4/dc_postmaster string $postmaster
 # Delivery method for local mail: 2
 exim4-config exim4/dc_localdelivery select Maildir format in home directory
 EOF
-        # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
-        # smarthost config type, not sure. all other settings
-        # would be unused in that config type.
-        cat >$exim_main_dir/000_localmacros <<EOF
-# i don't have ipv6 setup for my tunnel yet.
+    echo mail.iankelling.org > /etc/mailname
+
+    # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
+    # smarthost config type, not sure. all other settings
+    # would be unused in that config type.
+    rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
+    cat >/etc/exim4/conf.d/main/000_local <<EOF
+# enable 587 in addition to the default 25, so that
+# i can send mail where port 25 is firewalled by isp
+daemon_smtp_ports = 25 : 587
+# i don't have ipv6 setup for my vpn tunnel yet.
 disable_ipv6 = true
 
 MAIN_TLS_ENABLE = true
@@ -554,12 +665,12 @@ DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exi
 
 
 # failing message on mail-tester.com:
-# We check if there is a server (A Record) behind your hostname treetowl.
-# You may want to publish a DNS record (A type) for the hostname treetowl or use a different hostname in your mail software
+# We check if there is a server (A Record) behind your hostname kd.
+# You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
 # https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
 # and this one seemed appropriate from grepping config.
 # I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
-# mail to treetowl, so this should basically be a name that no host has as their
+# mail to kd, so this should basically be a name that no host has as their
 # canonical hostname since the actual host sits behind a nat and changes.
 # Seems logical for this to be the same as mailname.
 MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
@@ -591,35 +702,41 @@ IGNORE_SMTP_LINE_LENGTH_LIMIT = true
 # keep your dkim signature intact but add list- headers.
 DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
 
+# recommended if dns is expected to work
+CHECK_RCPT_VERIFY_SENDER = true
+# seems like a good idea
+CHECK_DATA_VERIFY_HEADER_SENDER = true
+CHECK_RCPT_SPF = true
+CHECK_RCPT_REVERSE_DNS = true
+CHECK_MAIL_HELO_ISSUED = true
 EOF
 
 
-        ####### begin dovecot setup ########
-        # based on a little google and package search, just the dovecot
-        # packages we need instead of dovecot-common.
-        #
-        # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
-        # directly.  The reason to do this is to use dovecot\'s sieve, which
-        # has extensions that allow it to be almost equivalent to exim\'s
-        # filter capabilities, some ways probably better, some worse, and
-        # sieve has the benefit of being supported in postfix and
-        # proprietary/weird environments, so there is more examples on the
-        # internet. I was torn about whether to do this or not, meh.
-        apt-get -y install --purge --auto-remove \
-                dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
-
-        # if we changed 90-sieve.conf and removed the active part of the
-        # sieve option, we wouldn\'t need this, but I\'d rather not modify a
-        # default config if not needed. This won\'t work as a symlink in /a/c
-        # unfortunately.
-        sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve
-
-        sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
+    ####### begin dovecot setup ########
+    # based on a little google and package search, just the dovecot
+    # packages we need instead of dovecot-common.
+    #
+    # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
+    # directly.  The reason to do this is to use dovecot\'s sieve, which
+    # has extensions that allow it to be almost equivalent to exim\'s
+    # filter capabilities, some ways probably better, some worse, and
+    # sieve has the benefit of being supported in postfix and
+    # proprietary/weird environments, so there is more examples on the
+    # internet. I was torn about whether to do this or not, meh.
+    pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+
+    # if we changed 90-sieve.conf and removed the active part of the
+    # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+    # default config if not needed. This won\'t work as a symlink in /a/c
+    # unfortunately.
+    sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve
+
+    sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
 1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX
 /^\s*mail_location\s*=/d
 EOF
 
-        cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
+    cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
 protocol lmtp {
 #per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
   mail_plugins = \$mail_plugins sieve
@@ -657,7 +774,7 @@ protocol lmtp {
 EOF
 
 
-        cat >/etc/dovecot/local.conf <<'EOF'
+    cat >/etc/dovecot/local.conf <<'EOF'
 # so I can use a different login that my shell login for mail.  this is
 # worth doing solely for the reason that if this login is compromised,
 # it won't also compromise my shell password.
@@ -679,82 +796,99 @@ ssl_prefer_server_ciphers = yes
 # auth_verbose=yes
 #mail_debug=yes
 EOF
-        ####### end dovecot setup ########
-
-
-        systemctl enable offlineimapsync.timer
-        systemctl start offlineimapsync.timer
-        systemctl restart $vpn_ser@mail
-        systemctl enable $vpn_ser@mail
-        systemctl enable dovecot
-        systemctl restart dovecot
-
-    else # $HOSTNAME != $MAIL_HOST
-        systemctl disable offlineimapsync.timer &>/dev/null ||:
-        systemctl stop offlineimapsync.timer &>/dev/null ||:
-        systemctl disable $vpn_ser@mail
-        systemctl stop $vpn_ser@mail
-        systemctl disable dovecot ||:
-        systemctl stop dovecot ||:
-        #
-        #
-        # would only exist because I wrote it i the previous condition,
-        # it\'s not part of exim
-        rm -f $exim_main_dir/000_localmacros
-        debconf-set-selections <<EOF
+    ####### end dovecot setup ########
+
+    # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
+    d=/etc/systemd/system/openvpn@mail
+    mkdir -p $d
+    cat >$d/override.conf <<'EOF'
+[Service]
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
+
+[Unit]
+# StartLimitIntervalSec in recent systemd versions
+StartLimitInterval=0
+EOF
+
+    systemctl enable offlineimapsync.timer
+    systemctl start offlineimapsync.timer
+    systemctl restart $vpn_ser@mail
+    systemctl enable $vpn_ser@mail
+    systemctl enable dovecot
+    systemctl restart dovecot
+
+  else # $HOSTNAME != $MAIL_HOST
+    systemctl disable offlineimapsync.timer &>/dev/null ||:
+    systemctl stop offlineimapsync.timer &>/dev/null ||:
+    systemctl disable $vpn_ser@mail
+    systemctl stop $vpn_ser@mail
+    systemctl disable dovecot ||:
+    systemctl stop dovecot ||:
+    #
+    #
+    # would only exist because I wrote it i the previous condition,
+    # it\'s not part of exim
+    rm -f /etc/exim4/conf.d/main/000_localmacros
+    debconf-set-selections <<EOF
 exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; no local mail
 exim4-config exim4/dc_smarthost string $smarthost
-# the default, i think is from /etc/mailname. better to set it to
-# whatever the current fqdn is.
+# afaik, on dpkg-reconfigure noninteractive, this sets /etc/mailname if it does not exist.
+# if it does exist, it immediately changes the value to whats in /etc/mailname.
+# So, I don't think there's any point in setting it, but might as well since
+# ignoring what I set here is brain dead and might change.
 exim4-config exim4/mailname string $(hostname -f)
 EOF
-
-    fi # end $HOSTNAME != $MAIL_HOST
-
-    # if we already have it installed, need to reconfigure, without being prompted
-    if dpkg -s exim4-config &>/dev/null; then
-        # gotta remove this, otherwise the set-selections are completely
-        # ignored. It woulda been nice if this was documented somewhere!
-        rm -f /etc/exim4/update-exim4.conf.conf
-        dpkg-reconfigure -u -fnoninteractive exim4-config
-    fi
-
-    # i have the spool directory be common to distro multi-boot, so
-    # we need the uid to be the same. 608 cuz it's kind of in the middle
-    # of the free system uids.
-    IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ); unset IFS
-    IFS=:; read _ _ gid _ < <(getent group Debian-exim ); unset IFS
-    if [[ ! $uid ]]; then
-        # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
-	adduser --uid 608 --gid 608 --system --group --quiet --home /var/spool/exim4 \
-	        --no-create-home --disabled-login --force-badname Debian-exim
-    elif [[ $uid != 608 ]]; then
-        systemctl stop exim4 ||:
-        usermod -u 608 Debian-exim
-        groupmod -g 608 Debian-exim
-        usermod -g 608 Debian-exim
-        find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
-        find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
-    fi
-
-    # light version of exim does not have sasl auth support.
-    apt-get -y install --purge --auto-remove exim4-daemon-heavy spamassassin
-
-
-
-
-    ##### begin spamassassin config
-    systemctl enable spamassassin
-    # per readme.debian
-    sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
-    e CRON=1 >>/etc/default/spamassassin
-    # just noticed this in the config file, seems like a good idea.
-    sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
-    e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
-    systemctl start spamassassin
-    systemctl reload spamassassin
-
-    cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
+    hostname -f > /etc/mailname
+
+  fi # end $HOSTNAME != $MAIL_HOST
+
+  # if we already have it installed, need to reconfigure, without being prompted
+  if dpkg -s exim4-config &>/dev/null; then
+    # gotta remove this, otherwise the set-selections are completely
+    # ignored. It woulda been nice if this was documented somewhere!
+    rm -f /etc/exim4/update-exim4.conf.conf
+    while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
+    dpkg-reconfigure -u -fnoninteractive exim4-config
+  fi
+
+  # i have the spool directory be common to distro multi-boot, so
+  # we need the uid to be the same. 608 cuz it's kind of in the middle
+  # of the free system uids.
+  IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
+  IFS=:; read _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
+  if [[ ! $uid ]]; then
+    # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
+    adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
+	    --no-create-home --disabled-login --force-badname Debian-exim
+  elif [[ $uid != 608 ]]; then
+    systemctl stop exim4 ||:
+    usermod -u 608 Debian-exim
+    groupmod -g 608 Debian-exim
+    usermod -g 608 Debian-exim
+    find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
+    find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
+  fi
+
+
+  # light version of exim does not have sasl auth support.
+  pi exim4-daemon-heavy spamassassin spf-tools-perl
+
+
+
+  ##### begin spamassassin config
+  systemctl enable spamassassin
+  # per readme.debian
+  sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
+  e CRON=1 >>/etc/default/spamassassin
+  # just noticed this in the config file, seems like a good idea.
+  sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
+  e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
+  systemctl start spamassassin
+  systemctl reload spamassassin
+
+  cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
 [Unit]
 Description=spamd dns bug fix cronjob
 
@@ -762,10 +896,10 @@ Description=spamd dns bug fix cronjob
 Type=oneshot
 ExecStart=/a/bin/distro-setup/spamd-dns-fix
 EOF
-    # 2017-09, debian closed the bug on this saying upstream had fixed it.
-    # remove this when i\'m using the newer package, ie, debian 10, or maybe
-    # ubuntu 18.04.
-    cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
+  # 2017-09, debian closed the bug on this saying upstream had fixed it.
+  # remove this when i\'m using the newer package, ie, debian 10, or maybe
+  # ubuntu 18.04.
+  cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
 [Unit]
 Description=run spamd bug fix script every 10 minutes
 
@@ -779,119 +913,37 @@ OnUnitActiveSec=550
 [Install]
 WantedBy=timers.target
 EOF
-    systemctl daemon-reload
-    systemctl restart spamddnsfix.timer
-    systemctl enable spamddnsfix.timer
-    #
-    #####   end spamassassin config
-
+  systemctl daemon-reload
+  systemctl restart spamddnsfix.timer
+  systemctl enable spamddnsfix.timer
+  #
+  #####   end spamassassin config
 
 
 
 
-    cat >/etc/exim4/rcpt_local_acl <<'EOF'
-# Only hosts we control send to mail.iankelling.org, so make sure
-# they are all authed.
-# Note, if we wanted authed senders for all domains,
-# we could make this condition in acl_check_mail
-deny
-  message = ian trusted domain recepient but no auth
-  !authenticated = *
-  domains = mail.iankelling.org
-EOF
-    cat >/etc/exim4/data_local_acl <<'EOF'
-# Except for the "condition =", this was
-# a comment in the check_data acl. The comment about this not
-# being suitable is mostly bs. The only thing related I found was to
-# add the condition =, cuz spamassassin has problems with big
-# messages and spammers don't bother with big messages,
-# but I've increased the size from 10k
-# suggested in official docs, and 100k in the wiki example because
-# those docs are rather old and I see a 110k spam message
-# pretty quickly looking through my spam folder.
-  warn
-    condition = ${if < {$message_size}{2000K}}
-    spam = Debian-exim:true
-    add_header = X-Spam_score: $spam_score\n\
-              X-Spam_score_int: $spam_score_int\n\
-              X-Spam_bar: $spam_bar\n\
-              X-Spam_report: $spam_report
-
-EOF
-    cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
-# from 30_exim4-config_examples
-
-plain_server:
-driver = plaintext
-public_name = PLAIN
-server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
-server_set_id = $auth2
-server_prompts = :
-.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
-.endif
-EOF
-
-    cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
-### router/900_exim4-config_local_user
-#################################
 
-# This router matches local user mailboxes. If the router fails, the error
-# message is "Unknown user".
+  # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
+  # i only need .forwards, so just doing that one.
+  cd /etc/exim4/conf.d/router
+  b=userforward_higher_priority
+  # replace the router name so it is unique
+  sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
 
-local_user:
-  debug_print = "R: local_user for $local_part@$domain"
-  driver = accept
-  domains = +local_domains
-# ian: commented this, in conjunction with a dovecot lmtp
-# change so I get mail for all users.
-#  check_local_user
-  local_parts = ! root
-  transport = LOCAL_DELIVERY
-  cannot_route_message = Unknown user
-EOF
-    cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
-dovecot_lmtp:
-        driver = lmtp
-        socket = /var/run/dovecot/lmtp
-        #maximum number of deliveries per batch, default 1
-        batch_max = 200
-EOF
+  # begin setup passwd.client
+  f=/etc/exim4/passwd.client
+  rm -f /etc/exim4/passwd.client
+  install -m 640 -g Debian-exim /dev/null $f
+  cat /etc/mailpass| while read -r domain port pass; do
+    # reference: exim4_passwd_client(5)
+    printf "%s:%s\n" "$domain" "$pass" >>$f
+  done
+  # end setup passwd.client
 
-    cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
-# smarthost for fsf mail
-# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
-# replaced DCsmarthost with mail.fsf.org
-fsfsmarthost:
-  debug_print = "R: smarthost for $local_part@$domain"
-  driver = manualroute
-  domains = ! +local_domains
-  senders = *@fsf.org
-  transport = remote_smtp_smarthost
-  route_list = * mail.fsf.org byname
-  host_find_failed = ignore
-  same_domain_copy_routing = yes
-  no_more
-EOF
+  # by default, only 10 days of logs are kept. increase that.
+  sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
 
-    # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
-    # i only need .forwards, so just doing that one.
-    cd /etc/exim4/conf.d/router
-    b=userforward_higher_priority
-    # replace the router name so it is unique
-    sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
-
-    # begin setup passwd.client
-    f=/etc/exim4/passwd.client
-    rm -f /etc/exim4/passwd.client
-    install -m 640 -g Debian-exim /dev/null $f
-    cat /etc/mailpass| while read -r domain port pass; do
-        # reference: exim4_passwd_client(5)
-        printf "%s:%s\n" "$domain" "$pass" >>$f
-    done
-    # end setup passwd.client
-
-    systemctl restart exim4
+  systemctl restart exim4
 
 fi  #### end if exim4
 
@@ -902,11 +954,11 @@ fi  #### end if exim4
 # won\'t set up a root to $postmaster alias if it\'s already installed.
 # Since postfix is not the greatest, just set it ourselves.
 if [[ $postmaster != root ]]; then
-    sed -i --follow-symlinks -f - /etc/aliases <<EOF
+  sed -i --follow-symlinks -f - /etc/aliases <<EOF
 \$a root: $postmaster
 /^root:/d
 EOF
-    newaliases
+  newaliases
 fi
 
 # put spool dir in directory that spans multiple distros.
@@ -918,11 +970,11 @@ dir=/nocow/$type
 sdir=/var/spool/$type
 # we only do this if our system has $dir
 if [[ -e /nocow && $(readlink -f $sdir) != $dir ]]; then
-    systemctl stop $type
-    if [[ ! -e $dir && -d $sdir ]]; then
-        mv $sdir $dir
-    fi
-    /a/exe/lnf -T $dir $sdir
+  systemctl stop $type
+  if [[ ! -e $dir && -d $sdir ]]; then
+    mv $sdir $dir
+  fi
+  /a/exe/lnf -T $dir $sdir
 fi
 
 systemctl restart $type
@@ -932,23 +984,23 @@ systemctl enable $type
 # for when MAIL_HOST changes, so radicale gets the synced files and
 # does not stop us from remounting /o.
 if dpkg -s radicale &>/dev/null; then
-    if [[ $HOSTNAME == $MAIL_HOST ]]; then
-        systemctl restart radicale
-        systemctl enable radicale
-        if [[ -e /etc/logrotate.d/radicale.disabled ]]; then
-            mv /etc/logrotate.d/radicale{.disabled,}
-        fi
-    else
-        systemctl stop radicale
-        systemctl disable radicale
-        # weekly logrotate tries to restart radicale even if it's a disabled service in flidas.
-        if [[ -e /etc/logrotate.d/radicale ]]; then
-            mv /etc/logrotate.d/radicale{,.disabled}
-        fi
+  if [[ $HOSTNAME == $MAIL_HOST ]]; then
+    systemctl restart radicale
+    systemctl enable radicale
+    if [[ -e /etc/logrotate.d/radicale.disabled ]]; then
+      mv /etc/logrotate.d/radicale{.disabled,}
+    fi
+  else
+    systemctl stop radicale
+    systemctl disable radicale
+    # weekly logrotate tries to restart radicale even if it's a disabled service in flidas.
+    if [[ -e /etc/logrotate.d/radicale ]]; then
+      mv /etc/logrotate.d/radicale{,.disabled}
     fi
+  fi
 fi
 exit 0
-
+:
 # if I wanted the from address to be renamed and sent to a different address,
 # echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical
 # sudo postmap hash:/etc/postfix/recipient_canonical